PROTECT YOUR WINDOWS SMB FILE INFRASTRUCTURE FROM RANSOMWARE

Technical white paper

Technical white paper

CONTENTS Executive summary .............................................................................................................................................................................................................................................................................................................. 3

The case for protection .............................................................................................................................................................................................................................................................................................. 3 Introduction ................................................................................................................................................................................................................................................................................................................................. 3

The case for intelligent storage .......................................................................................................................................................................................................................................................................... 3 Methods of infection ..................................................................................................................................................................................................................................................................................................... 3 Assumptions of the infrastructure ................................................................................................................................................................................................................................................................... 4 Windows Server hygiene .......................................................................................................................................................................................................................................................................................... 4

Preventing known Ransomware from infected clients ........................................................................................................................................................................................................................ 4 Installation of File Services Resource Manager on Windows Failover Cluster ......................................................................................................................................................... 5 How to identify unknown Ransomware that has not triggered ............................................................................................................................................................................................ 8 Using HPE Nimble Storage snapshots to compare datasets ............................................................................................................................................................................................... 11 Restoration of file system...................................................................................................................................................................................................................................................................................... 13

Summary ..................................................................................................................................................................................................................................................................................................................................... 14 Appendix – Free space statistics on Windows Server 2016 or older ................................................................................................................................................................................. 15 Resources and additional links ............................................................................................................................................................................................................................................................................... 16

Technical white paper Page 3

EXECUTIVE SUMMARY The case for protection Ransomware attacks have escalated in the past few years and equally threatens both large and small companies, yet most CIOs have no formal plan to adequately protect themselves from these threats. This technical white paper describes methods to prescriptively prevent known Ransomware attacks, discover new Ransomware attacks, and recover from Ransomware attacks.

The methods described in this paper are part of a hardened infrastructure approach and do not eliminate the need for your existing layered security components, including the following components:

• Intrusion Detection Systems, Firewalls, Switch ACLS, and so on

• Malware scanning suites on clients and servers

• Authentication Authorization Accounting (AAA) and Role-Based Access control

• Running modern (supported) client and server operating systems

• Proper server and client patch levels and security updates

Limitations of scope This paper describes methods to limit the damage done by virus and Trojan software that could infect your Windows® SMB (Server Message Block) client machines. This paper does not cover protection methods used to prevent a live (interactive) attacker that can probe and react to your infrastructure to cause the maximum amount of damage. In these live attack cases, an attacker can choose to suspend an encryption attack until they have access to a file server logon account. With access to a file server logon account the attacker could determine the storage being used and choose to delete the snapshots prior to starting the encryption process.

Target audience: This document is intended for IT administrators and architects, storage administrators, solution architects, and anyone who has Ransomware concerns or has been attacked by Ransomware.

INTRODUCTION The case for intelligent storage The use of intelligent storage along with correctly configured servers can greatly limit the probability of Ransomware infections, and this also minimizes damage from an attack if one occurs. This paper provides highlighted steps to prevent known types of malware infection, along with additional steps to detect infection and recover from infection. These steps heavily utilize information from HPE InfoSight as well as the ability for HPE Nimble Storage to create and maintain a robust and long-life snapshot schedule to aid in restoration far better than a simple Recovery Point Objective (RPO) of the first infection.

Methods of infection There are two primary ways that a dataset can become compromised: a file-by-file encryption of a dataset or via the wholesale encryption of the target logical device (using BitLocker).

File-by-file Ransomware If a client is infected with the file-by-file variant of Ransomware, it roughly follows this process:

1. The client generates a public/private key for encryption.

2. The private key is stored locally and on the Ransomware server on the web.

3. The client uses a filter driver to intercept all files with a known extension (such as .XXX).

4. The client decrypts these requests and returns the unencrypted file.

5. The client proactively checks the server to see if the trigger time has expired.

6. The client attempts to encrypt (in background) all files to an .XXX version.

7. The client might also drop executable files on available file shares in an attempt to spread.

8. The client might also scan the local network and use known exploits to spread.

9. At the trigger time, the local copy of the private key is destroyed.

10. Notice is given to the customer to pay Ransomware to recover the private key.

Technical white paper Page 4

As you can see, the steps cover a number of mediation methods. It does not matter if the client disconnects from the internet, because the first indication that you are infected is in step 8—when the damage is done. Additionally, rolling the computer clock backwards (prior to the trigger date) will not work, since the local private key no longer exists.

The insidious nature of this infection is that steps 1 to 5 happen in minutes, and steps 6 to 8 can take months. This gives the Ransomware plenty of time to infect more infrastructure prior to the trigger time. The final trigger state (steps 9 and 10) happens in seconds.

Indications of Infections One indication that you have an infected client is that although the infected client can read the encrypted file, other non-infected clients might only see the file as corrupted data, since they do not view the file through the Ransomware filter driver. Additionally, the view of the file directly from the file server also shows the encrypted version of the file, because it also does not have the Ransomware filter driver loaded.

Disk-locking Ransomware Disk-locking Ransomware is another type of ransomware that includes the following:

• The targeted machine must be directly infected because the Ransomware needs block–level access (as opposed to file-level access) to the dataset to be encrypted.

• The dataset can hijack legitimate security constructs like BitLocker, DiskCryptor, or Syskey, or it installs custom boot loaders in place of your existing MBR.

• The targeted machine must be directly infected to corrupt the datasets since block-level access is required to accomplish tasks such as modifying the MBR or enabling Syskey or BitLocker.

Just as with file-by-file ransomware, this type of infection could take some time to operate (in the case of BitLocker or DiskCryptor) and will attempt to inject neighboring clients with this Ransomware via known exploits.

Indications of infections Very few indications of this type of infection exist, other than significant extra local disk traffic and CPU usage as local drives are encrypted. However, these symptoms will not be apparent from the server infrastructure, but only directly from the client machines.

Assumptions of the infrastructure There are a number of factors that are used to present a truly hardened infrastructure, and these factors depend on features available inside of the various components. The first requirement is that the File Sharing service is hosted on a Windows Failover Cluster and the storage presented to that Windows Failover Cluster is done via HPE Nimble Storage. Additionally, these Windows Failover Cluster nodes are expected to be running a modern OS such as Windows Server® 2016 or Windows Server 2019. The customer is also expected to host clients via a supported modern client OS, which is important to eliminate down-revision attacks on SMB and limit other known weaknesses (attack vectors). The entire server and client infrastructure should also be current regarding the OS (Windows Server 2019 recommended), security patches, and a viable and updated anti-virus software.

Windows Server hygiene Because the Windows Failover Cluster must be created and managed using Domain Admin credentials, it is important to protect these servers as if they were domain controllers. These servers should never be used to perform any workstation duties, including using a web browser, installing client software, checking email, using OneDrive, and so on. Additionally, your shares should not contain executable code (or scripts) that are writable by clients, because this is a common vector for client-to-client infection.

These steps will prevent most infection vectors from disk-locking Ransomware infections, as the only recovery from these type of attacks is commonly bare-metal restoration of the OS on the Windows node. The majority of this paper deals with defeating the file-by-file type Ransomware.

Clients should run modern operating systems so that SMB version 1.0 can be disabled and SMB2+ signing can be enabled/required. This up-levelling of the SMB protocol between the client and host can prevent man-in-the-middle attacks (SMB Signing), as well as prevent weak password transactions (SMB1) from being intercepted. If the clients and server can all support SMB version 3 or newer, full SMB encryption (encryption in-flight) can be enabled.

PREVENTING KNOWN RANSOMWARE FROM INFECTED CLIENTS Although the server might be Ransomware free, this alone does not stop an infected client from overwriting the exposed file shares with encrypted data. To limit or prevent infected hosts from writing known encrypted files to the file share, use the File Services Resource Manager (FSRM) feature from Microsoft®.

Technical white paper Page 5

Installation of File Services Resource Manager on Windows Failover Cluster The first tool to install is FSRM, which will be used to initially set up filters and notifications for file types that are indicative of Ransomware encryption.

The following PowerShell command will create a new FSRM file screen filter.

You would then execute the FSRM tool and use the File Screen option to create a new screen for the share you intend to protect, as shown in FIGURE 1.

FIGURE 1. Creating a new screen to protect a share

After you create the file screen, enable active screening on the specific share, as shown in FIGURE 2.

New-FsrmFileGroup -Name "Ransomware_Extensions" –IncludePattern @("*.k","*.encoderpass","*.key","*.toxcrypt","*.ecc","*.ezz","*.exx","*.zzz","*.xyz","*.aaa","*.abc", "*.ccc","*.vvv","*.xxx","*.ttt","*.micro","*.encrypted","*.OMG!","*.locked","*.crypto","_crypt", "*.crinf","*.r5a","*.xrtn","*.XTBL","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*.RDM","*.HA3" "*.encryptedRSA","*.crjoker","*.EnCiPhErEd","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.RRK", "*.bleep","*.1999","*.vault","*.magic","*.SUPERCRYPT","*.CTBL","*.CTB2","*.locky","HELPDECRYPT.TXT", "HELP_YOUR_FILES.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","RECOVERY_KEY.txt","HELP_RESTORE_FILES.txt", "HELP_RECOVER_FILES.txt","HELP_TO_SAVE_FILES.txt","DecryptAllFiles.txt","DECRYPT_INSTRUCTIONS.TXT", "INSTRUCCIONES_DESCIFRADO.TXT","How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url", "Help_Decrypt.txt","DECRYPT_INSTRUCTION.TXT","HOW_TO_DECRYPT_FILES.TXT","ReadDecryptFilesHere.txt", "Coin.Locker.txt","_secret_code.txt","About_Files.txt","DECRYPT_ReadMe.TXT","DecryptAllFiles.txt", "FILESAREGONE.TXT","IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY", "IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML","help_decrypt_your_files.html", "HELP_TO_SAVE_FILES.txt","RECOVERY_FILES.txt","RECOVERY_FILE.TXT","RECOVERY_FILE*.txt", "HowtoRESTORE_FILES.txt","HowtoRestore_FILES.txt","howto_recover_file.txt","restorefiles.txt", "howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","recoveryfile*.txt", "Howto_Restore_FILES.TXT","help_recover_instructions+*.txt","_Locky_recover_instructions.txt")

Technical white paper Page 6

FIGURE 2. Enabling active screening on the specific share

Note that you can prevent these files from being saved, which protects the file share. Alternatively, you can choose to allow the change and only notify you, as shown in FIGURE 3.

Technical white paper Page 7

FIGURE 3. Setting File Screen properties for email notification

Additionally, automatic options can be configured to occur if a restricted file type is saved, such as removing the user permissions from the file share completely (to isolate the user from the file share). In extreme cases, the AD Account can be disabled for the user, preventing that user from connecting to other shares inside the company. Any task that can be expressed as a CLI or PowerShell command can be used as a trigger event.

Technical white paper Page 8

FIGURE 4. Creating a File Screen template

An example of the PowerShell command that is required to kick a user off the file share is as follows:

How to identify unknown Ransomware that has not triggered The following symptoms can point to an active Ransomware infection:

• Steady (non-bursts) increase in workload for the volume

• The added workload is approximately 50% Read / 50% write

• The added workload has 0% compression, 0% deduplication

• The used space on the file system is not changing considerably

param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }

Technical white paper Page 9

There are a few methods to determine if Ransomware is active on a client and affecting a server. The first method is to be aware of the performance statistics on the HPE Nimble volumes from HPE InfoSight.

You can determine these facts from differing sources. Ransomware reads files from the file system and then overwrites those same files with encrypted data of the same size. And because encrypted data is not compressible or dedupable, the volume and snapshot usage should increase together. This historical trend can be very easily seen via the HPE InfoSight Volume Capacity Trend, shown in FIGURE 5.

FIGURE 5. HPE InfoSight Volume Capacity Trend

In this case, you can see that a steady increase in the volume size started in mid-October, and since files were being overwritten, that increase translated to an enlargement of the Snapshot Usage as well.

The trend for read/write ratio can also be determined from HPE InfoSight by looking at the performance tab for an individual volume and using the Throughput graph. A common file server is weighted towards higher read/write ratios (75%+ read), whereas active Ransomware will drive this average towards an equal read/write ratio (50% read). FIGURE 6 shows the transition towards a 50% read/write ratio occurring at roughly the date of Ransomware infection.

FIGURE 6. HPE InfoSight “Throughput” graph

Technical white paper Page 10

To obtain the free space on a Windows volume, assuming you are running Windows Server 2019, you can enable the new Windows Admin Center feature called “System Insights” to enable Total Storage Consumption Forecasting. This will allow you to gather usage statistics—specifically free space going back up to a year—and will even forecast growth predictions. The only issue with this tool is that the free-space recording is disabled by default, and you must click System Insights within Windows Admin Center, select Total storage consumption forecasting settings, and then select Enabled, as shown in FIGURE 7.

FIGURE 7. “System Insights” feature in Windows Admin Center”

If you are running an older version of the OS such as Windows 2016 or older, you will need to create a reoccurring PowerShell script to gather this information and manually graph this data. See the Appendix – Free space statistics on Windows Server 2016 or older for how this can be done.

In the case of the sample data, FIGURE 8 is an example of what this graphed data might look like.

Technical white paper Page 11

FIGURE 8. Free Space graph – manually created from PowerShell script data

Using HPE Nimble Storage snapshots to compare datasets HPE Nimble Storage provides an extra layer of protection in the form of zero-impact long-life snapshots. When a file server is infected with Ransomware, the size of snapshots increases dramatically.

The first step is to determine when the infection started to affect the file server. This can be done by retrieving the statistics on each snapshot from the HPE Nimble Storage. The command that will expose this information is built into the PowerShell Toolkit as shown below. To identify snapshots prior to the infection, look for a marked change in the new_data_compressed_bytes field, as shown below, highlighted in red.

Technical white paper Page 12

As shown in the above output, the significant snapshot size growth occurs roughly on October 21st. The size of each snapshot is shown in bytes in the last column of data. The snapshot that was not written to by the infection is the “2016-FileServices1-MasterShapshot-Everyday-2019-10-19::14:00:00.000” snapshot, and this is the one to choose.

After identifying the target snapshot, bring that individual snapshot online and using a differencing tool, discover what differences exist between the October 20th version of the dataset and today’s version of the dataset.

To bring a copy of the dataset online, use the HPE Nimble Windows Toolkit PowerShell commands as follows. This command does not require you to interrupt the existing file share and can be used to spot-check any file system hosted on an HPE Nimble Storage array. The following command will work on both standalone servers and cluster servers:

If using a cluster, you can add the option -addtocluster or -addtoCSV. But considering this is only a test, you can mount the volume to this one cluster node (that happens to own the share).

It can be highly valuable to invest in a differencing tool such as Beyond Compare (scootersoftware.com). Use Beyond Compare to do a filesystem-to-filesystem compare and present the results visually.

After you are sure that the dataset needs a proper restoration, perform the following restoration procedure.

PS C:\Script\DriveSpaceRecorder> Get-NSsnapshot -vol_name DS9CSV | format-table vol_name, snap_collection_name,new_data_compressed_bytes vol_name snap_collection_name new_data_compressed_bytes -------- -------------------- ------------------------- DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-09::14:00:00.000 41454361 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-06::14:00:00.000 41425343 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-05::14:00:00.000 52235434 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-04::14:00:00.000 42002343 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-03::14:00:00.000 41453243 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-12-02::14:00:00.000 53423411 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-27::14:00:00.000 33454361 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-26::14:00:00.000 41232434 . . . DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-07::14:00:00.000 34325321 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-06::14:00:00.000 34324231 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-05::14:00:00.000 32325343 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-04::14:00:00.000 53664343 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-11-01::14:00:00.000 34346633 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-31::14:00:00.000 32325453 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-30::14:00:00.000 35547723 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-29::14:00:00.000 35236233 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-28::14:00:00.000 23423453 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-25::14:00:00.000 34345122 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-24::14:00:00.000 32431125 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-23::14:00:00.000 23214456 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-22::14:00:00.000 75876556 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-21::14:00:00.000 34235342 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-20::14:00:00.000 234312 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-19::14:00:00.000 12440 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-18::14:00:00.000 1433 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-17::14:00:00.000 3433432 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-16::14:00:00.000 51234 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-15::14:00:00.000 1212 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-14::14:00:00.000 12123 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-13::14:00:00.000 34564564 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-12::14:00:00.000 342 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-11::14:00:00.000 32141 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-10::14:00:00.000 3414 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-09::14:00:00.000 34352 DS9CSV 2016-FileServices1-MasterSnapshot-EveryDay-2019-10-08::14:00:00.000 30232

PS:> Invoke-CloneNimVolume –NimbleVolumeName DS9CSV –snapshotname ‘2016-FileServices1-MasterSnapshot-EveryDay-2019-10-19::14:00:00.000’ –accesspath ‘C:\TestMount’

Technical white paper Page 13

Restoration of file system Stage 1 – file system restoration The restoration of the file system can be done in two stages. The first stage of the restoration requires that the file system to be restored is taken offline temporarily. In a Windows Failover Cluster, this can be accomplished by taking the storage resource offline. In a standalone server, this can be done from DiskMgmt.msc by right clicking on the specific drive and selecting Offline, as shown in FIGURE 9.

FIGURE 9. Setting drive to "Offline" in "Disk Management"

This step is required because Windows will retain cached information about a disk, and simply replacing the disk without first taking it offline will not invalidate the cache. The effect of having invalid cache is that write operations to the disk will likely cause file system corruption.

After the disk is in an offline state, you can use the HPE Nimble Storage GUI to revert the HPE Nimble volume to the proper snapshot. (See FIGURE 10.) This process will force the HPE Nimble volume to be placed in an offline state.

FIGURE 10. Using the HPE Nimble Storage GUI to revert the HPE Nimble volume to the proper snapshot

After the HPE Nimble volume has been restored, you can rescan, reconnect, and then bring the disk back online.

Technical white paper Page 14

Next, you should be sure that the offending user or users who were infected can no longer access the file server or the share—and only then the file services may be re-enabled on the HPE Nimble volume.

The first stage of the file system restoration is complete and has brought the dataset back to the Return-Point-Objective (RPO) that the snapshot represents.

At this point you may optionally want to move to stage 2 of the restoration. This process walks through the various snapshots that have occurred between the RPO and the current date to restore data committed to the share that was not associated with the known infected user.

Stage 2 – file system restoration The optional stage 2 of the file system restoration can break the paradigm of the RPO. Instead of accepting the lost changes since the RPO, you can selectively replay changes from more recent snapshots based on file ownerships.

The following PowerShell command can be used to mount each individual snapshot from the HPE Nimble Storage array to a temporary mount point so that you can selectively copy individual files back to the dataset.

After the snapshot has been mounted, run the following command. This command will only copy files from the snapshot that are newer than the base volume (that was previously restored) and will not copy files from the specified users listed in the command.

After the copy process is complete, you can then remove this snapshot and move to the next newer snapshot—until you have processed all of the remaining newer snapshots.

By following this procedure you can restore individual files by replaying them from the newer snapshots without allowing the overwriting changes from the rogue user.

This process can be wrapped in either a simple progressive script, or it could be added via a PowerShell For loop using the output of the Get-NimSnapshot –vol_name Volumename command.

SUMMARY Your strategy on Ransomware protection for your Windows SMB File infrastructure should be split into three distinct stages: prevention of known Ransomware, detection of new Ransomware, and recovery from the effects of Ransomware.

There are a number of steps that need to occur prior to a Ransomware attack to aid in the detection and prevention. These include setting up filters to prevent (or warn) when some file types are being written and to inform you when this has occurred. This step can also be empowered to automatically disable access to shares or even suspend a domain account—depending on how aggressive your stance is regarding automation.

Recording a baseline of your read/write ratios as well as your expected compression and deduplication rates are of great use and required for the detection phase. This step is helped greatly by automatic phone-home actions of HPE InfoSight.

And finally, recovery actions rely heavily on a robust and long-life snapshot schedule that can be used not only to return to a specific Recovery Point Objective, but additionally using single-file-restore methods to pull non-compromised files from the many snapshots that exist between the RPO time and the current time.

PS:> Invoke-CloneNimVolume –vol_name MyVolumeName –Snapshot_name MySnapshotName ` –accesspath ‘C:\Volumename_SnapShotname’

PS:> CD C:\VolumeName_SnapShotname PS:> Get-ChildItem –recurse | where{$_.lastWriteTime –gt ’2019-10-15 08:00:00’} | `

where {$_.psicontainer –eq $False} | ` where{ ( $ | get-acl).owner –ne ‘MyDomain\user’} | `

copy-item –destination ‘F:\’

PS:> Remove-NimVolume –name MySnapshotName

Technical white paper Page 15

APPENDIX – FREE SPACE STATISTICS ON WINDOWS SERVER 2016 OR OLDER To read the free space on a Windows volume on a Windows Server 2016 or older server, you need to run the following PowerShell snippet. This snippet can be rolled into a reoccurring script that can retain this information over the lifetime of a server. The following script can be deployed to your hosts and it will record the following every time it is run:

• The HPE Nimble volumes that are connected to your host

• The HPE Nimble volume size and the Windows volume size

• The Windows’ view of free space

The script also contains the drive letter or path that is assigned to that datum to make cross reference to your SMB or NFS shares easier.

After this script has been placed on your server, you can execute it automatically each day using the following Windows Schedule command, which only needs to be run once.

At a point in the future as a test, you can import the CSV file to Excel and graph the available free space on your various file systems over time. This data can be used to show that while the space used on the volume is steadily increasing, that increase is not reflected in the space of the file system according to Windows. This is indicative of files being overwritten with encrypted/non-compressible versions.

$CPWD= pwd $NPath='C:\Program Files\Nimble Storage\' $LogFile=$NPath+'MicrosoftFileSystemFreeSpace.csv' if ( -not ( test-path $LogFile ) ) { # Create the Logfile if its never been run before "Logfile for Node $(hostname) of free disk space on connected Nimble Volume" | out-file $Logfile

"DateTime,NimbleVolumeName, NimbleVolumeSize, WindowsPath, WindowsVolume, WindowsVolumeSize, “ + ` “WindowsVolumeFreeSpace" | out-file -append $Logfile

} cd $NPath+'\bin\' import-module -name $NPath+'\bin\Nimble.Powershell.dll' foreach ( $NV in (Get-NimVolume) ) { $VMP = ($NV.WindowsVolumes).MountPoints $VDID = ($NV.WindowsVolumes).DeviceID $V = Get-Volume -UniqueId $VDID $TDate=get-date -format "MM/dd/yyyy HH:mm:ss" $OutString = $TDate + ", " + $NV.NimbleVolumeName + ", " + ($NV.DiskSize * 1024) + ", " + $VMP + `

", " + $V.Size + ", " + $V.SizeRemaining $OutString | out-file -append $LogFile } cd "$CPWD"

$Action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument ` "-NonInteractive -NoLogo -NoProfile -File 'C:\script\FreeSpaceRecorder.ps1'" $Trigger = New-ScheduledTaskTrigger -Once -At 3am $Settings = New-ScheduledTaskSettingsSet $Task = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings Register-ScheduledTask -TaskName 'FreeFileSpaceRecorder' -InputObject $Task ` -User 'username' -Password 'passhere'

Technical white paper

Make the right purchase decision. Contact our presales specialists.

Share now

Get updates

© Copyright 2020 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All third-party marks are property of their respective owners.

a00095918ENW, February 2020

Check if the document is available in the language of your choice.

RESOURCES AND ADDITIONAL LINKS HPE InfoSight hpe.com/us/en/solutions/infosight.html

Microsoft File Server Resource Manager docs.microsoft.com/en-us/windows-server/storage/fsrm/fsrm-overview

Introducing Windows Server System Insights (blog) https://cloudblogs.microsoft.com/windowsserver/2018/06/19/introducing-windows-server-system-insights/

Beyond Compare from Scooter Software scootersoftware.com

LEARN MORE AT hpe.com/us/en/storage/nimble.html